Golang Snippet #10
Bookmarked!This challenge covers the review of a snippet of code written in Golang
In this lab, we examine a piece of Golang code that handles HTTP requests and serves files based on URL parameters. The main function sets up an HTTP server listening on port 8080, mapping requests to the handler function. The handler function attempts to open a file specified by a URL parameter, clean the path, and serve the file's contents.
The vulnerability lies in the use of path.Clean
to sanitize the file path. While path.Clean
simplifies paths by removing relative path segments like ./
, it does not entirely mitigate directory traversal attacks. An attacker can exploit this by using paths like ../../etc/passwd
to access sensitive files outside the intended directory, as path.Clean
does not remove leading ../
segments unless prefixed by a /
.